Use Cases
Summary
Keymate is deployed across three primary organizational models: Government-to-Citizen (G2C), Business-to-Business-to-Consumer (B2B2C), and Business-to-Business (B2B). Each model presents distinct access governance challenges (tenant isolation, delegated administration, regulatory compliance, and scale) that Keymate addresses by layering on top of existing Keycloak infrastructure.
Why It Exists
Different organizational models face different access governance challenges, but they share a common constraint: the existing IAM (typically Keycloak) provides authentication and basic role management, yet falls short on fine-grained authorization, multi-tenancy, and policy observability. Keymate was designed to fill these gaps regardless of the organizational topology.
How It Works
G2C: Government Agency - 5M Citizens, 12K Employees, Zero Downtime
Challenge: A public institution needed to deploy fine-grained access controls across internal and citizen-facing systems serving 5 million citizens and 12,000 employees. The existing Keycloak deployment handled authentication, but authorization decisions were scattered across application code with no centralized policy management or audit trail.
Solution: By layering Keymate on top of the existing Keycloak setup, the agency deployed DSAC (Data Security Attribute Control) and RADAC (Risk-Adaptive Access Control) across all systems with zero disruption to current workflows.
How it was achieved:
- DSAC policies enforce data masking based on sensitivity classification across citizen records
- Department-based access enforcement ensures staff only access data relevant to their organizational unit
- Transparent migration with no code rewrite. Enforcement happens at the API Gateway
- Full audit trail for every access decision, meeting regulatory compliance requirements
Impact:
- Data masking by policy across citizen records
- Department-based access enforcement
- Transparent migration, no code rewrite
- Regulatory compliance through auditable decision traces
B2B2C: Fintech SaaS - From Role Explosion to ReBAC Control
Challenge: A leading fintech platform managing multiple partner banks and their end customers had accumulated over 200 RBAC role definitions. Each new partner onboarding required creating a new set of tenant-specific roles. Role audits took weeks, and access control bugs were frequent.
Solution: The team replaced the role sprawl with FGA engine-based relationship policies while staying on Keycloak for authentication. Keymate's policy-as-code approach enabled clean authorization logic and auditable policy changes.
How it was achieved:
- ReBAC via the FGA engine models partner-customer-resource relationships
- Scoped role assignments replace tenant-specific role cloning
- Policy changes are versioned, reviewed, and approved before deployment
- Integration through API Gateway plugin and language SDKs
Impact:
- 80% reduction in access control bugs
- Integration via API Gateway and SDK without app rewrites
- Full traceability with audit logs
- New partner onboarding requires zero new role definitions
B2B: Enterprise Vendor - Multi-Tenant Access Without Multi-Headaches
Challenge: A software vendor managing multiple enterprise clients needed isolated access per customer, delegated administration for each client's IT team, and cross-organization policy simulation, all from a single Keycloak instance.
Solution: Keymate's multi-tenant organization management provided the isolation, delegation, and observability needed without splitting into multiple Keycloak realms or instances.
How it was achieved:
- Each client is modeled as a tenant with isolated org units, policies, and user bases
- Client IT teams get delegated administration within scoped boundaries
- Cross-tenant policy simulation allows testing before deployment
- OpenTelemetry-driven observability tracks every decision per tenant
Impact:
- Tenant-aware session tracking
- Delegated access policies per client
- OpenTelemetry-driven observability
- Single Keycloak instance serves all tenants
Diagram
Who Is Keymate For?
Keymate serves three primary personas, each with distinct needs:
Security Leaders
Control, comply, and audit without losing speed.
- DSAC for sensitive data enforcement
- RADAC for real-time risk decisions
- Audit-ready logs and approval workflows
- Policy lifecycle governance
Architects and Infrastructure Teams
Deploy anywhere. Enforce everywhere.
- Kubernetes-native, air-gapped, and hybrid support
- API gateway and service mesh filters
- Parallel integration with legacy IAM
- Multi-tenant organization scoping
Developers and Application Teams
Build secure apps faster with full visibility.
- Visual DSL and simulation
- SDKs for Java, .NET, and JavaScript
- Attribute-based access logic
- Debug policies before going live
Common Misunderstandings
- "Keymate is only for large enterprises." Keymate scales from small teams to millions of users. The organizational models (B2B, B2B2C, G2C) represent topology patterns, not size requirements. A SaaS startup with multi-tenant needs benefits just as much as a government agency.
- "We need to migrate users to use Keymate." No user migration is required. Keymate layers on top of your existing Keycloak deployment. Users, authentication flows, and federation remain unchanged.
- "Each use case requires a different deployment." A single Keymate deployment can support multiple organizational models simultaneously. Tenant isolation is enforced at the authorization layer, not the infrastructure layer.